Hi everyone!

I have a problem. An avast popup appeared (here’s a screen: https://imgur.com/IzzmGqI), telling me a threat was secured (JS:CryptoNightMiner-A [Trj]).
If I close the popup, it reappears immediately. I tried to run a scan, and resolve the problems found, but the same popup keeps appearing. I rebooted my computer, and after a very short while, the popup reappeared. I have no idea what to do…

I use windows 10, and the free version of avast.

Thanks in advance.

EDIT: I did a scan with Malwarebytes also, but it didn’t find anything.

EDIT 2: Since the popup says “detected by Web Shield”, I decided to temporarily disable the web shield so that the popup doesn’t reappear, in order to be able to use my pc while I don’t know how to solve the problem. But surprise, even with the web shield disabled, the popup keeps appearing…

Post a screenshot of the popup please.

I posted it in the first message. Here it is again.

EDIT: I attached it.

Please see: https://forum.avast.com/index.php?topic=194892.0

Attach produced logs in your next reply. A certified malware expert will be notified.

Hi!

I followed the instructions given in the link you gave me.

On the first, step, at some point it says “When the scan is complete, if threats are detected, make sure that everything is selected, click Remove Selected” I didn’t have a “remove selected” button, just a “quarantine selected” one, so I used this one.

So, here are the logs.

Malware expert has been notified.

Second MBAM scan removed two miner executables unlike first one. What is system status now?

EDIT:
Also do this.

• Open Notepad (click Start button → type notepad.exe → press Enter)
• Copy text from code block below and paste it into Notepad

CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION

• Go to File → Save As
• Make sure that UTF-8 is selected as Encoding (left side of Save button)
• Save it as fixlist.txt on Desktop
• Open again FRST and click on button Fix
• Wait until FRST finishes
• fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

What do you mean?

Are you still getting popups after MBAM scan?

Yes, I am.
If I close the popup, it is remplaced immediately by the same popup.
I I don’t close the popup, it re-pops after a few minutes.

Hi Gilead Maerlyn,
it looks like script shield detection. Script shield works inside browser and whenever it sees miner script it blocks it.
If you see the detection on different pages a miner might infect your browser (internal jscript which is executed during every page load event).

hqq.tv - might use mining as a price for watching their content ?
https://blog.sucuri.net/2017/10/cryptominers-on-hacked-sites-part-2.html

Clicking link above gives the block below but only partial block here.

I have no idea what hqq.tv is, I am not watching their content.

Does it happen when only YouTube is open?

It happens even when no browser is open.

Please post new FRST logs. Strange thing is that Avast report its own process for trying to access blocked URL.

Oh. I thought it was strange too.
Would reinstalling avast be a good idea?

Here are my new logs.

Hmmm… Can you reinstall Avast?

I have just finished reinstalling Avast. So far, no popup.

Looks like problem solved. I havent had a popup since I reinstalled Avast.